TL;DR: Verizon’s 2026 DBIR says vulnerability exploitation now accounts for 31% of breaches, overtaking credential abuse for the first time in 19 years, while critical KEV patching fell to 26% and median patch times reached 43 days. The operational problem is no longer awareness but remediation capacity, and patch visibility has become an access-control issue as much as a vulnerability issue.
NHIMG editorial — based on content published by Swarmnetics: Vulnerability exploitation surges ahead as leading breach cause in the new Verizon DBIR
By the numbers:
- vulnerability exploitation being responsible for a majority of breaches at 31%
- organizations reported patching only 26% of these fully, a drop from the prior period
- median patch times that have now dropped to well over a month, 43 days
Questions worth separating out
Q: What breaks when critical vulnerabilities stay exposed in production?
A: When critical vulnerabilities stay exposed, attackers get a faster entry path than credential theft or phishing, and the organisation loses control of the initial breach window.
Q: Why do unpatched systems increase lateral movement risk for NHIs?
A: Unpatched systems increase lateral movement risk because attackers often use the first compromised host to reach service accounts, tokens, shared admin paths, and other non-human identities.
Q: How do security teams know whether patching is actually reducing risk?
A: Security teams know patching is reducing risk when the number of reachable exploit paths falls, not just when ticket counts go down.
Practitioner guidance
- Prioritise exploitable internet-facing assets first Rank vulnerabilities by exposure, known exploitation, and business-critical privilege adjacency so the highest-risk systems are patched ahead of low-value backlog items.
- Tie patch workflows to identity risk review When a critical system is exposed, review the service accounts, API keys, and administrative roles attached to it before declaring remediation complete.
- Track partial remediation as open risk Do not count a vulnerability as managed until the exploitable path is closed, including compensating controls on the asset and any connected NHI access.
What's in the full report
Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:
- The DBIR’s year-over-year breach category breakdown, including the underlying shifts behind the 31% vulnerability exploitation figure.
- The patching and remediation context around CISA KEV items, including the 50% increase in critical vulnerabilities and the 26% full-remediation rate.
- The article’s discussion of shadow IT, AI, ransomware, and third-party failures that sit behind the headline breach trend.
- The source’s interpretation of why patching fatigue, legacy systems, and interoperability issues are shaping breach patterns.
👉 Read Swarmnetics’ analysis of the 2026 DBIR shift to vulnerability exploitation →
Vulnerability exploitation leads breaches now. Are your controls keeping up?
Explore further
Vulnerability exploitation is now an identity problem as much as a patching problem. Once an attacker enters through an exposed service, the question becomes which credentials, tokens, and privileged paths they can reach next. That means IAM and PAM teams must treat exploitability as a downstream access risk, not just a vulnerability backlog. The practitioner conclusion is simple: exposed software and standing privilege now combine into one breach pathway.
A question worth separating out:
Q: Who is accountable when vulnerability exploitation leads to a breach?
A: Accountability should sit with the owners of the exposed service, the remediation process, and the connected access model. If a vulnerability remains reachable, the issue is not only security operations. It is also governance over asset ownership, patch prioritisation, and privileged access containment across internal and third-party systems.
👉 Read our full editorial: Vulnerability exploitation overtakes credential abuse in the 2026 DBIR